Update to monorepo commit aa8eacc4bb64f41c3b14d307fab1263ec80e8048

Author: svc-osmo-ci

BUILD_AND_TEST.md

@@ -258,12 +258,6 @@ workstation to your local host.
 The OSMO UI and APIs for the core service can now be accessed on your local machine at:
 http://ingress-nginx-controller.ingress-nginx.svc.cluster.local
 
-Next, login into OSMO using the CLI:
-
-```sh
-bazel run @osmo_workspace//src/cli -- login http://ingress-nginx-controller.ingress-nginx.svc.cluster.local --method=dev --username=testuser
-```
-
 ### Start OSMO Backend
 
 ```sh

DEV.md

@@ -50,22 +50,16 @@ This command:
 
 ### Start OSMO Backend
 
-To start the backend, you must be logged into OSMO using the CLI:
-
-```sh
-bazel run @osmo_workspace//src/cli -- login http://$HOST_IP:8000 --method=dev --username=testuser
-```
-
-Then start the backend:
+After OSMO services are started, start the backend:
 
 ```sh
 bazel run @osmo_workspace//run:start_backend -- --mode bazel
 ```
 
 This command:
 
-- Checks for a kubernetes backend cluster that can be used for compute
-  - If one is not accessible, a KIND cluster is created for compute
+- Checks for a KIND backend cluster that can be used for compute
+  - If one is not accessible, a new KIND cluster is created for compute
 - Starts backend operators (listener, worker) using bazel
 
 ### Update Configuration
@@ -87,6 +81,11 @@ The OSMO UI and APIs can be accessed at: `http://$HOST_IP:8080`
 
 ## Next steps
 
+Log into OSMO using the CLI:
+```sh
+bazel run @osmo_workspace//src/cli -- login http://$HOST_IP:8000 --method=dev --username=testuser
+```
+
 Test your setup with:
 
 ```sh

QUICK_START.md

@@ -40,30 +40,8 @@ mkdir -p ~/osmo-quick-start && cd ~/osmo-quick-start
 
 ### Download and Install OSMO CLI
 
-#### Linux AMD64
-
-> Download from [osmo-client-linux](https://catalog.ngc.nvidia.com/orgs/nvidia/teams/osmo/resources/osmo-client-linux)
-
 ```bash
-# cd to downloaded CLI tgz
-sudo tar -xzf osmo-client-linux_6.0.0.c18411774.tgz -C /usr/local
-rm osmo-client-linux_6.0.0.c18411774.tgz
-
-# Create symlink
-sudo ln -s -f /usr/local/osmo /usr/local/bin/osmo
-```
-
-#### MacOS ARM64
-
-> Download from [osmo-client-macos](https://catalog.ngc.nvidia.com/orgs/nvidia/teams/osmo/resources/osmo-client-macos)
-
-```bash
-# cd to downloaded CLI pkg
-open -W osmo-client-macos_6.0.0.c18411774.pkg
-rm osmo-client-macos_6.0.0.c18411774.pkg
-
-# Create symlink
-sudo ln -s -f /usr/local/osmo /usr/local/bin/osmo
+curl -fsSL https://raw.githubusercontent.com/NVIDIA/OSMO/refs/heads/main/install.sh | bash
 ```
 
 ## 2. Configure variables
@@ -185,11 +163,18 @@ helm upgrade --install osmo nvstaging-osmo/osmo-quick-start \
   --version 1.0.0 \
   --namespace osmo \
   --create-namespace \
+  --wait \
   --set global.containerRegistry.password="$CONTAINER_REGISTRY_PASSWORD" \
   --set global.nodeSelector."kubernetes\.io/arch"=$ARCH \
   --set ingress-nginx.controller.nodeSelector."kubernetes\.io/arch"=$ARCH
 ```
 
+Installing the chart will take about 5 minutes. If you're curious what's happening, you can monitor with:
+
+```bash
+kubectl get pods --namespace osmo
+```
+
 See [Configuration Options](./deployments/charts/osmo-quick-start/README.md#configuration) in the
 `osmo-quick-start` chart for more ways to install the chart.
 
@@ -198,16 +183,15 @@ See [Configuration Options](./deployments/charts/osmo-quick-start/README.md#conf
 Add the following line to your `/etc/hosts` file:
 
 ```bash
-echo "127.0.0.1 osmo-ingress-nginx-controller.osmo.svc.cluster.local" | sudo tee -a /etc/hosts
+echo "127.0.0.1 quick-start.osmo" | sudo tee -a /etc/hosts
 ```
 
 ## 5. Using OSMO
 
 ### Login to OSMO
 
 ```bash
-osmo login http://osmo-ingress-nginx-controller.osmo.svc.cluster.local \
-  --method=dev --username=testuser
+osmo login http://quick-start.osmo --method=dev --username=testuser
 ```
 
 ### Run a workflow

deployments/charts/backend-operator/README.md

@@ -110,6 +110,7 @@ This Helm chart deploys the OSMO Backend-Operator for managing compute backend r
 | `services.backendListener.imageName` | Listener image name | `backend-listener` |
 | `services.backendListener.imagePullPolicy` | Image pull policy | `Always` |
 | `services.backendListener.serviceName` | Service name | `osmo-backend-listener` |
+| `services.backendListener.initContainers` | Init containers for backend listener | `[]` |
 | `services.backendListener.serviceAccount` | Service account name | `backend-listener` |
 | `services.backendListener.max_unacked_messages` | Maximum unacked messages | `100` |
 | `services.backendListener.podCacheTtl` | Pod cache TTL in seconds | `15` |
@@ -134,6 +135,7 @@ This Helm chart deploys the OSMO Backend-Operator for managing compute backend r
 | `services.backendWorker.imageName` | Worker image name | `backend-worker` |
 | `services.backendWorker.imagePullPolicy` | Image pull policy | `Always` |
 | `services.backendWorker.serviceName` | Service name | `osmo-backend-worker` |
+| `services.backendWorker.initContainers` | Init containers for backend worker | `[]` |
 | `services.backendWorker.serviceAccount` | Service account name | `backend-worker` |
 | `services.backendWorker.extraArgs` | Additional arguments | `[]` |
 | `services.backendWorker.extraEnvs` | Additional environment variables | `[]` |

deployments/charts/backend-operator/templates/_otel-collector.tpl

@@ -19,8 +19,12 @@
 - name: otc-container
   image: "{{ .Values.sidecars.OTEL.image }}"
   securityContext:
+    allowPrivilegeEscalation: false
     capabilities:
-      drop: ["NET_RAW"]
+      drop: ["ALL"]
+    runAsNonRoot: true
+    runAsUser: 10001
+
   imagePullPolicy: IfNotPresent
   args:
   - --config=/conf/collector.yaml
@@ -29,6 +33,15 @@
   volumeMounts:
   - mountPath: /conf
     name: config
+  livenessProbe:
+    httpGet:
+      path: /metrics
+      port: 4000
+      scheme: HTTP
+    periodSeconds: 30
+    timeoutSeconds: 1
+    failureThreshold: 3
+    successThreshold: 1
   resources:
   {{- toYaml .Values.sidecars.OTEL.resources | nindent 4 }}
 {{- end }}

deployments/charts/backend-operator/templates/backend-listener.yaml

@@ -57,6 +57,10 @@ spec:
       - name: {{ .Values.global.imagePullSecret }}
       {{- end }}
       serviceAccountName: {{ include "backend-operator.listener.serviceAccountName" . }}
+      {{- with .Values.services.backendListener.initContainers }}
+      initContainers:
+      {{- toYaml . | nindent 6 }}
+      {{- end }}
       hostAliases:
         {{- with .Values.services.backendListener.hostAliases }}
           {{- toYaml . | nindent 8}}
@@ -66,6 +70,12 @@ spec:
       - name: backend-listener
         image: {{ .Values.global.osmoImageLocation }}/{{ .Values.services.backendListener.imageName }}:{{ .Values.global.osmoImageTag }}
         imagePullPolicy: {{ .Values.services.backendListener.imagePullPolicy }}
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop: ["ALL"]
+          runAsNonRoot: true
+          runAsUser: 1001
         command:
         - backend_listener
         args:
@@ -74,6 +84,11 @@ spec:
         {{- if eq .Values.global.loginMethod "password" }}
         - --username
         - {{ .Values.global.accountUsername }}
+        - --password_file
+        - /opt/osmo/secrets/password.txt
+        {{- else if eq .Values.global.loginMethod "token" }}
+        - --token_file
+        - /opt/osmo/secrets/token.txt
         {{- end }}
         - --login_method
         - {{ .Values.global.loginMethod }}
@@ -103,28 +118,28 @@ spec:
         - {{$arg}}
         {{- end }}
         env:
-        {{- if eq .Values.global.loginMethod "password" }}
-        - name: OSMO_LOGIN_PASSWORD
-          valueFrom:
-            secretKeyRef:
-              name: {{ .Values.global.accountPasswordSecret }}
-              key: {{ .Values.global.accountPasswordSecretKey }}
-        {{- else if eq .Values.global.loginMethod "token" }}
-        - name: OSMO_LOGIN_TOKEN
-          valueFrom:
-            secretKeyRef:
-              name: {{ .Values.global.accountTokenSecret }}
-              key: {{ .Values.global.accountTokenSecretKey }}
-        {{- end }}
         {{- with .Values.services.backendListener.extraEnvs }}
         {{- toYaml . | nindent 8 }}
         {{- end }}
         resources:
           {{- toYaml .Values.services.backendListener.resources | nindent 10 }}
-        {{- if .Values.services.backendListener.volumeMounts }}
+        {{- if or .Values.services.backendListener.volumeMounts (eq .Values.global.loginMethod "password") (eq .Values.global.loginMethod "token") }}
         volumeMounts:
+        {{- if eq .Values.global.loginMethod "password" }}
+        - name: osmo-secret
+          mountPath: /opt/osmo/secrets/password.txt
+          subPath: password.txt
+          readOnly: true
+        {{- else if eq .Values.global.loginMethod "token" }}
+        - name: osmo-secret
+          mountPath: /opt/osmo/secrets/token.txt
+          subPath: token.txt
+          readOnly: true
+        {{- end }}
+        {{- if .Values.services.backendListener.volumeMounts }}
           {{- toYaml .Values.services.backendListener.volumeMounts | nindent 8 }}
         {{- end }}
+        {{- end }}
 
         livenessProbe:
           exec:
@@ -137,7 +152,6 @@ spec:
           failureThreshold: 1
           periodSeconds: 30
           timeoutSeconds: 15
-
         # Give the container 60 seconds to startup
         startupProbe:
           exec:
@@ -158,11 +172,26 @@ spec:
       {{- with .Values.services.backendListener.extraSidecarContainers }}
       {{- toYaml . | nindent 6 }}
       {{- end }}
-      {{- if or .Values.services.backendListener.volumes .Values.sidecars.OTEL.enabled }}
+      {{- if or .Values.services.backendListener.volumes .Values.sidecars.OTEL.enabled (eq .Values.global.loginMethod "password") (eq .Values.global.loginMethod "token") }}
       volumes:
       {{- if .Values.services.backendListener.volumes }}
         {{- toYaml .Values.services.backendListener.volumes | nindent 6 }}
       {{- end }}
+      {{- if eq .Values.global.loginMethod "password" }}
+      - name: osmo-secret
+        secret:
+          secretName: {{ .Values.global.accountPasswordSecret }}
+          items:
+            - key: {{ .Values.global.accountPasswordSecretKey }}
+              path: password.txt
+      {{- else if eq .Values.global.loginMethod "token" }}
+      - name: osmo-secret
+        secret:
+          secretName: {{ .Values.global.accountTokenSecret }}
+          items:
+            - key: {{ .Values.global.accountTokenSecretKey }}
+              path: token.txt
+      {{- end }}
       {{- if .Values.sidecars.OTEL.enabled }}
         {{- include "backend-operator.OTELVolumes" (dict "Values" .Values "Prefix" $name) | nindent 6 }}
       {{- end }}

deployments/charts/backend-operator/templates/backend-worker.yaml

@@ -57,6 +57,10 @@ spec:
       - name: {{ .Values.global.imagePullSecret }}
       {{- end }}
       serviceAccountName: {{ include "backend-operator.worker.serviceAccountName" . }}
+      {{- with .Values.services.backendWorker.initContainers }}
+      initContainers:
+      {{- toYaml . | nindent 6 }}
+      {{- end }}
       hostAliases:
         {{- with .Values.services.backendWorker.hostAliases }}
           {{- toYaml . | nindent 8}}
@@ -66,6 +70,12 @@ spec:
       - name: backend-worker
         image: {{ .Values.global.osmoImageLocation }}/{{ .Values.services.backendWorker.imageName }}:{{ .Values.global.osmoImageTag }}
         imagePullPolicy: {{ .Values.services.backendWorker.imagePullPolicy }}
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop: ["ALL"]
+          runAsNonRoot: true
+          runAsUser: 1001
         command:
         - backend_worker
         args:
@@ -74,6 +84,11 @@ spec:
         {{- if eq .Values.global.loginMethod "password" }}
         - --username
         - {{ .Values.global.accountUsername }}
+        - --password_file
+        - /opt/osmo/secrets/password.txt
+        {{- else if eq .Values.global.loginMethod "token" }}
+        - --token_file
+        - /opt/osmo/secrets/token.txt
         {{- end }}
         - --login_method
         - {{ .Values.global.loginMethod }}
@@ -103,26 +118,24 @@ spec:
         - {{$arg}}
         {{- end }}
         env:
-        {{- if eq .Values.global.loginMethod "password" }}
-        - name: OSMO_LOGIN_PASSWORD
-          valueFrom:
-            secretKeyRef:
-              name: {{ .Values.global.accountPasswordSecret }}
-              key: {{ .Values.global.accountPasswordSecretKey }}
-        {{- else if eq .Values.global.loginMethod "token" }}
-        - name: OSMO_LOGIN_TOKEN
-          valueFrom:
-            secretKeyRef:
-              name: {{ .Values.global.accountTokenSecret }}
-              key: {{ .Values.global.accountTokenSecretKey }}
-        {{- end }}
         {{- with .Values.services.backendWorker.extraEnvs }}
         {{- toYaml . | nindent 8 }}
         {{- end }}
         resources:
           {{- toYaml .Values.services.backendWorker.resources | nindent 10 }}
-        {{- if or .Values.backendTestRunner.enabled .Values.services.backendWorker.volumeMounts }}
+        {{- if or .Values.backendTestRunner.enabled .Values.services.backendWorker.volumeMounts (eq .Values.global.loginMethod "password") (eq .Values.global.loginMethod "token") }}
         volumeMounts:
+        {{- if eq .Values.global.loginMethod "password" }}
+        - name: osmo-secret
+          mountPath: /opt/osmo/secrets/password.txt
+          subPath: password.txt
+          readOnly: true
+        {{- else if eq .Values.global.loginMethod "token" }}
+        - name: osmo-secret
+          mountPath: /opt/osmo/secrets/token.txt
+          subPath: token.txt
+          readOnly: true
+        {{- end }}
         {{- if .Values.backendTestRunner.enabled }}
         - name: backend-test-runner-template
           mountPath: /tmp/backend-test-runner
@@ -145,7 +158,7 @@ spec:
           failureThreshold: 1
           periodSeconds: 30
           timeoutSeconds: 15
-        # # Give the container 60 seconds to startup
+        # Give the container 60 seconds to startup
         startupProbe:
           exec:
             command:
@@ -166,11 +179,26 @@ spec:
       {{- toYaml . | nindent 6 }}
       {{- end }}
 
-      {{- if or .Values.backendTestRunner.enabled .Values.services.backendWorker.volumes .Values.sidecars.OTEL.enabled }}
+      {{- if or .Values.backendTestRunner.enabled .Values.services.backendWorker.volumes .Values.sidecars.OTEL.enabled (eq .Values.global.loginMethod "password") (eq .Values.global.loginMethod "token") }}
       volumes:
       {{- if .Values.services.backendWorker.volumes }}
       {{- toYaml .Values.services.backendWorker.volumes | nindent 6 }}
       {{- end }}
+      {{- if eq .Values.global.loginMethod "password" }}
+      - name: osmo-secret
+        secret:
+          secretName: {{ .Values.global.accountPasswordSecret }}
+          items:
+            - key: {{ .Values.global.accountPasswordSecretKey }}
+              path: password.txt
+      {{- else if eq .Values.global.loginMethod "token" }}
+      - name: osmo-secret
+        secret:
+          secretName: {{ .Values.global.accountTokenSecret }}
+          items:
+            - key: {{ .Values.global.accountTokenSecretKey }}
+              path: token.txt
+      {{- end }}
       {{- if .Values.backendTestRunner.enabled }}
       - name: backend-test-runner-template
         configMap: